[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#934160: nfs-common: Umask ignored, all files created world-writable on NFS

Package: nfs-common
Version: 1:1.3.4-2.5
Severity: grave
Tags: security
Justification: user security hole

I have an NFS client and server both running Debian.  I recently
upgraded them both to buster.

I discovered today that the regular process umask has been ignored on
my nfs mounts since the upgrade, and all files and directories are
being created a+rw.

On the client, the fstab fstype is nfs4 and the mount options are
hard,intr,bg,noatime.  The relevant datasets are exported
rw,no_root_squash,no_subtree_check from the server.

In researching this, I stumbled across
https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1779736 and
https://bugzilla.redhat.com/show_bug.cgi?id=1667761 which indicate the
problem is present elsewhere as well.  Adding vers=4.1 to my client's
mount options completely resolved the problem.  (Though now I have a
couple weeks' worth of files with unintentionally open permissions to
wade through.)

I tagged this as security and grave because it opens up quite a few
scenarios for users to receive privileges they shouldn't, and for
other potential mischief (placing malicious executables in
world-writable directories, etc).

The server is indeed running zfs with its default acltype setting
(off).  As the Ubuntu bug report shows, mounting with noacl doesn't
resolve the behavior either.  The RedHat bug occurred with an OpenWRT
server, unlikely to be running zfs.  I do not believe this bug should
be pinned down to ZFS; a filesystem not supporting ACLs should not
result in umask 0 for all clients in any scenario.

-- Package-specific info:
-- rpcinfo --
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
-- /etc/default/nfs-common --
NEED_STATD=
STATDOPTS=
NEED_IDMAPD=
NEED_GSSD=
-- /etc/idmapd.conf --
[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup

-- System Information:
Debian Release: 10.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages nfs-common depends on:
ii  adduser             3.118
ii  keyutils            1.6-6
ii  libc6               2.28-10
ii  libcap2             1:2.25-2
ii  libcom-err2         1.44.5-1
ii  libdevmapper1.02.1  2:1.02.155-3
ii  libevent-2.1-6      2.1.8-stable-4
ii  libgssapi-krb5-2    1.17-3
ii  libk5crypto3        1.17-3
ii  libkeyutils1        1.6-6
ii  libkrb5-3           1.17-3
ii  libmount1           2.33.1-0.1
ii  libnfsidmap2        0.25-5.1
ii  libtirpc3           1.1.4-0.4
ii  libwrap0            7.6.q-28
ii  lsb-base            10.2019051400
ii  rpcbind             1.2.5-0.3
ii  ucf                 3.0038+nmu1

Versions of packages nfs-common recommends:
ii  python  2.7.16-1

Versions of packages nfs-common suggests:
pn  open-iscsi  <none>
pn  watchdog    <none>

-- no debconf information
Reply to: